Mobile equipment identity and/or iot equipment identity and application identity based security enforcement in service provider networks

ABSTRACT

Techniques for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a device identifier for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the device identifier and the application identifier.

BACKGROUND OF THE INVENTION

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device or a set of devices, or software executedon a device, such as a computer, that provides a firewall function fornetwork access. For example, firewalls can be integrated into operatingsystems of devices (e.g., computers, smart phones, or other types ofnetwork communication capable devices). Firewalls can also be integratedinto or executed as software on computer servers, gateways,network/routing devices (e.g., network routers), or data appliances(e.g., security appliances or other types of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies. Forexample, a firewall can filter inbound traffic by applying a set ofrules or policies. A firewall can also filter outbound traffic byapplying a set of rules or policies. Firewalls can also be capable ofperforming basic routing functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1A is a block diagram of a 3G wireless network with a securityplatform for providing enhanced security in accordance with someembodiments.

FIG. 1B is a block diagram of a 4G/LTE wireless network with a securityplatform for providing enhanced security in accordance with someembodiments.

FIG. 2A is an example of GTPv1-C messages exchanged between an SGSN anda GGSN in a 3G network in accordance with some embodiments.

FIG. 2B is an example of GTPv2-C messages exchanged between entitiesincluding an MME, SGW, and a PGW in a 4G/LTE network in accordance withsome embodiments.

FIG. 3A is another example of a GTPv1-C message flow between an SGSN anda GGSN in a 3G network in accordance with some embodiments.

FIG. 3B is another example of a GTPv2-C message flow between an MME,SGW, and a PGW in a 4G/LTE network in accordance with some embodiments.

FIG. 4A is an example use case of providing enhanced security forroaming access in a 3G network in accordance with some embodiments.

FIG. 4B is an example use case of providing enhanced security forroaming access in a 4G/LTE network in accordance with some embodiments.

FIG. 4C is an example use case of providing enhanced security forroaming access in a mixed 3G and 4G/LTE network in accordance with someembodiments.

FIG. 4D is an example use case of providing enhanced security for mobileaccess in a 4G/LTE network in accordance with some embodiments.

FIG. 4E is an example use case of providing enhanced security fornon-3GPP access in a 4G/LTE network in accordance with some embodiments.

FIG. 4F is an example use case of providing enhanced security for mobileaccess using a core firewall in a 4G/LTE network in accordance with someembodiments.

FIG. 4G is an example use case of providing enhanced security for mobileaccess using a core firewall in a 3G network in accordance with someembodiments.

FIG. 5 is a functional diagram of hardware components of a networkdevice for performing security policy enforcement on mobile/serviceprovider network environments in accordance with some embodiments.

FIG. 6 is a functional diagram of logical components of a network devicefor performing security policy enforcement on mobile/service providernetwork environments in accordance with some embodiments.

FIG. 7 is a flow diagram of a process for performing location basedsecurity in mobile networks for service providers in accordance withsome embodiments.

FIG. 8 is a flow diagram of a process for performing mobile equipmentidentity and/or IoT equipment identity and application identity basedsecurity enforcement for service providers in mobile networks inaccordance with some embodiments.

FIG. 9 is a flow diagram of a process for performing mobile useridentity and/or SIM-based IoT identity and application identity basedsecurity enforcement for service providers in mobile networks inaccordance with some embodiments.

FIG. 10 is a flow diagram of a process for performing Radio AccessTechnology (RAT) based security in mobile networks for service providersin accordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device, a set of devices, or software executedon a device that provides a firewall function for network access. Forexample, a firewall can be integrated into operating systems of devices(e.g., computers, smart phones, or other types of network communicationcapable devices). A firewall can also be integrated into or executed assoftware applications on various types of devices or security devices,such as computer servers, gateways, network/routing devices (e.g.,network routers), or data appliances (e.g., security appliances or othertypes of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies (e.g.,network policies or network security policies). For example, a firewallcan filter inbound traffic by applying a set of rules or policies toprevent unwanted outside traffic from reaching protected devices. Afirewall can also filter outbound traffic by applying a set of rules orpolicies (e.g., allow, block, monitor, notify or log, and/or otheractions can be specified in firewall/security rules or firewall/securitypolicies, which can be triggered based on various criteria, such asdescribed herein). A firewall may also apply anti-virus protection,malware detection/prevention, or intrusion protection by applying a setof rules or policies.

Security devices (e.g., security appliances, security gateways, securityservices, and/or other security devices) can include various securityfunctions (e.g., firewall, anti-malware, intrusion prevention/detection,proxy, and/or other security functions), networking functions (e.g.,routing, Quality of Service (QoS), workload balancing of network relatedresources, and/or other networking functions), and/or other functions.For example, routing functions can be based on source information (e.g.,source IP address and port), destination information (e.g., destinationIP address and port), and protocol information.

A basic packet filtering firewall filters network communication trafficby inspecting individual packets transmitted over a network (e.g.,packet filtering firewalls or first generation firewalls, which arestateless packet filtering firewalls). Stateless packet filteringfirewalls typically inspect the individual packets themselves and applyrules based on the inspected packets (e.g., using a combination of apacket's source and destination address information, protocolinformation, and a port number).

Application firewalls can also perform application layer filtering(e.g., using application layer filtering firewalls or second generationfirewalls, which work on the application level of the TCP/IP stack).Application layer filtering firewalls or application firewalls cangenerally identify certain applications and protocols (e.g., webbrowsing using HyperText Transfer Protocol (HTTP), a Domain Name System(DNS) request, a file transfer using File Transfer Protocol (FTP), andvarious other types of applications and other protocols, such as Telnet,DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls canblock unauthorized protocols that attempt to communicate over a standardport (e.g., an unauthorized/out of policy protocol attempting to sneakthrough by using a non-standard port for that protocol can generally beidentified using application firewalls).

Stateful firewalls can also perform stateful-based packet inspection inwhich each packet is examined within the context of a series of packetsassociated with that network transmission's flow of packets/packet flow(e.g., stateful firewalls or third generation firewalls). This firewalltechnique is generally referred to as a stateful packet inspection as itmaintains records of all connections passing through the firewall and isable to determine whether a packet is the start of a new connection, apart of an existing connection, or is an invalid packet. For example,the state of a connection can itself be one of the criteria thattriggers a rule within a policy.

Advanced or next generation firewalls can perform stateless and statefulpacket filtering and application layer filtering as discussed above.Next generation firewalls can also perform additional firewalltechniques. For example, certain newer firewalls sometimes referred toas advanced or next generation firewalls can also identify users andcontent. In particular, certain next generation firewalls are expandingthe list of applications that these firewalls can automatically identifyto thousands of applications. Examples of such next generation firewallsare commercially available from Palo Alto Networks, Inc. (e.g., PaloAlto Networks' PA Series next generation firewalls and Palo AltoNetworks' VM Series virtualized next generation firewalls).

For example, Palo Alto Networks' next generation firewalls enableenterprises and service providers to identify and control applications,users, and content—not just ports, IP addresses, and packets—usingvarious identification technologies, such as the following: App-ID™(e.g., App ID) for accurate application identification, User-ID™ (e.g.,User ID) for user identification (e.g., by user or user group), andContent-ID™ (e.g., Content ID) for real-time content scanning (e.g.,controls web surfing and limits data and file transfers). Theseidentification technologies allow enterprises to securely enableapplication usage using business-relevant concepts, instead of followingthe traditional approach offered by traditional port-blocking firewalls.Also, special purpose hardware for next generation firewallsimplemented, for example, as dedicated appliances generally provideshigher performance levels for application inspection than softwareexecuted on general purpose hardware (e.g., such as security appliancesprovided by Palo Alto Networks, Inc., which utilize dedicated, functionspecific processing that is tightly integrated with a single-passsoftware engine to maximize network throughput while minimizing latencyfor Palo Alto Networks' PA Series next generation firewalls).

Technical and Security Challenges in Today's Mobile Networks for ServiceProviders

In today's service provider network environments, the service providercan typically only implement a static security policy for wirelessdevices communicating over the service provider's wireless network(e.g., the service provider cannot define a security/firewall policy ona per endpoint basis and/or a per flow basis for wireless devicescommunicating over the service provider's wireless network), and anychanges generally require network infrastructure updates. Further, intoday's service provider network environments, the service providergenerally cannot implement a security policy that is based on hardwareattributes or location information associated with the wireless devicesfor wireless devices communicating over the service provider's wirelessnetwork (e.g., the service provider cannot implement the security policybased on various other relevant parameters associated with wirelessdevices, such as a unique hardware identifier and/or physical locationof a device communicating over the wireless network).

Thus, technical and security challenges with service provider networksexist. As such, what are needed are new and improved security techniquesfor such service provider network environments. Specifically, what areneeded are new and improved solutions for monitoring service providernetwork traffic and applying security policies (e.g., firewall policies)on service provider networks.

Overview of Techniques for Enhanced Security in Mobile Networks forService Providers

Accordingly, techniques for enhanced security platforms within serviceprovider network environments are disclosed. Specifically, varioussystem architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can monitor GPRS Tunneling Protocol (GTP) aredisclosed. More specifically, various system architectures forimplementing and various processes for providing security platformswithin service provider network environments that can monitor GPRSTunneling Protocol (GTP) including, for example, GTP-C for signalingbetween Gateway GPRS Support Nodes (GGSN) and Serving GPRS Support Nodes(SGSN), and GTP-U for user data within the GPRS/mobile core network andbetween the Radio Access Network (RAN) and the GPRS/mobile core networkare disclosed. For example, the disclosed techniques facilitate applyingsecurity policies based on an application, IP address, content ID,subscriber location, unique device identifier (e.g., InternationalMobile Equipment Identifier (IMEI) for a generally unique 3GPP deviceidentifier, such as for mobile phones for a Global System for MobileCommunications (GSM) network), unique subscriber identifier (e.g.,International Mobile Subscriber Identity (IMSI) for uniquely identifyinga GSM subscriber), Radio Access Technology (RAT) (e.g., for identifyingthe associated RAT for the mobile device), and/or any combinationthereof using next generation firewalls on service provider networks,such as further described below.

When a mobile device attaches to the network (e.g., a 3GPP/LTE EPCnetwork), the anchor gateway (e.g., the Packet Data Network (PDN)Gateway or PGW in a 3GPP/LTE EPC network) will generally query a PolicyCharging Function and Control (PCRF) entity over the Gx interface todetermine the policy for that subscriber. The PCRF entity will send backto the PGW information about, for example, QoS, filters, and/or otherpolicy related information that is stored in the PCRF entity for thatsubscriber that is to be applied for this subscriber (e.g., the PCRFentity is generally used to manage/control bandwidth and QoS on wirelessnetworks; and the AAA server is generally used for authenticationpurposes on wireless networks).

In one embodiment, a security platform is configured to monitor the GTPcommunications between the SGSN and GGSN in the mobile core network(e.g., next generation firewall, which can monitor a Create PDP Requestand/or various other GTP-C messages exchanged for activation, updating,and/or deactivation of the GTP sessions in the service provider'snetwork as further described below), and the security platform (e.g., afirewall (FW), a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies using thedisclosed techniques) is configured to apply a security policy using oneor more parameters extracted from the GTP-C messages as furtherdescribed below. Thus, service providers, IoT device providers, and/orsystem integrators can use the disclosed techniques to configure andenforce enhanced security policies using one or more parametersextracted from the GTP-C messages as further described below.

In one embodiment, a security platform is configured to monitor the GTPcommunications between the SGSN and GGSN in the mobile core network(e.g., next generation firewall, which can monitor GTP-U traffic duringGTP sessions in the service provider's network as further describedbelow), and the security platform (e.g., a firewall (FW), a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies using the disclosed techniques) isconfigured to apply a security policy using one or more parametersextracted from the GTP-C messages and based on the user session trafficmonitored by the security platform during the GTP session (e.g., APP ID,Content ID, URL filtering, and/or other stateful packet inspectionextracted from the user traffic during the GTP session) as furtherdescribed below. Thus, service providers, IoT device providers, and/orsystem integrators can use the disclosed techniques to configure andenforce enhanced security policies using one or more parametersextracted from the GTP-C messages and information extracted from usertraffic in GTP sessions as further described below.

For example, service providers, IoT device providers, and/or systemintegrators can apply different security policies based on IMEI, IMSI,location, and/or RAT. As another example, service providers, IoT deviceproviders, and/or system integrators can apply different securitypolicies based on IMEI, IMSI, location, and/or RAT based on monitoreduser traffic during GTP sessions.

In one embodiment, a security platform (e.g., a firewall, a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies) is configured to use existing 3GPPto dynamically apply security policies (e.g., granular securitypolicies, which can be applied per subscriber (e.g., IMSI)/IP inreal-time, per mobile device (e.g., IMEI)/IP in real-time, persubscriber location/IP in real-time, per RAT/IP in real-time, and/or anycombinations thereof) as data calls are set-up and/or modified/updatedusing the disclosed techniques, such as further described below. Forexample, the security platform can be configured to dynamically applysecurity policy per IP flow for wireless devices.

In one embodiment, the signaling messages (e.g., messages exchanged foractivation, updating, and deactivation of tunneling sessions) in themobile core/service provider's core network are existing and/or standardmessages as used in current 3GPP EPC (e.g., GTP-C messages, such asGTPv1-C for 3G networks and GTPv2-C for 4G networks) and/or otherwireless network environments, and the security platform is configuredto monitor such messages to extract one or more parameters that can beutilized for applying security policies from these messages, as will befurther described below.

In one embodiment, a security platform is configured to monitor GTP-Cmessages to/from various network elements on the service providernetwork, such as the SGSN and GGSN (e.g., a Create PDP Request messageand a Create PDP Response, an Update PDP Request and an Update PDPResponse, and/or a Delete PDP Request and a Delete PDP Response), suchas further described below.

In one embodiment, the security platform is configured to monitor usersession traffic in tunneling sessions in the mobile core/serviceprovider's core network (e.g., GTP-U traffic) to perform Deep PacketInspection (DPI) security monitoring techniques that can be utilized forapplying security policies based on the user session traffic, as will befurther described below.

In one embodiment, a security platform is configured to monitor GTP-Usessions to/from various network elements in the service providernetwork as will be further described below.

In one embodiment, the security platform is configured to monitor thesignaling messages (e.g., messages exchanged for activation, updating,and deactivation of GTP tunnels, such as GTP-C messages) to/from variousnetwork elements on the service provider network, such as the SGSN andGGSN (e.g., a Create PDP Request message and a Create PDP Response, anUpdate PDP Request and an Update PDP Response, and/or a Delete PDPRequest and a Delete PDP Response) and is also configured to monitoruser session traffic in tunneling sessions in the mobile core/serviceprovider's core network (e.g., GTP-U traffic) to perform Deep PacketInspection (DPI) security monitoring techniques that can be utilized forapplying security policies based on information extracted from thesignaling messages and/or user session traffic, as will be furtherdescribed below.

In one embodiment, a subscriber/IP address is associated with (e.g.,mapped to) a security policy to facilitate security policy enforcementper IP flow using the security platform (e.g., a next generationfirewall (NGFW)). For example, the security platform can apply agranular security policy based on information extracted from thesignaling messages and/or user session traffic, as will be furtherdescribed below.

Example System Architectures for Implementing Enhanced Security inMobile Networks for Service Providers

FIG. 1A is a block diagram of a 3G wireless network with a securityplatform for providing enhanced security in accordance with someembodiments. FIG. 1A is an example service provider network environmentfor a 3G network architecture that includes a 3G network (e.g., and canalso include Wired, Wi-Fi, 4G, 5G, and/or other networks (not shown inFIG. 1A)) to facilitate data communications for subscribers over theInternet and/or other networks. As shown in FIG. 1A, a Radio AccessNetwork (RAN) 130 is in communication with a mobile core network 120.RAN 130 can include Macro Cell(s) 142 in the wireless network, and smallcells, such as 3G Micro Cell(s) 144, 3G Pico Cell(s) 146, and 3G FemtoCells 148 in the wireless network. As shown, various User Equipment (UE)132, 134, and 136 can communicate using various cells in RAN 130.

As also shown in FIG. 1A, the small cells, shown as 3G Micro Cell(s)144, 3G Pico Cell(s) 146, and 3G Femto Cell(s) 148, are in networkcommunication with a Home Node B Gateway (HNB GW) 108 over IP Broadbandwireless network 140 and, in this example, the traffic ismonitored/filtered using a security platform 102 (e.g., a (virtual)device/appliance that includes a firewall (FW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) configuredto perform the disclosed security techniques as further described below.As also shown, Macro Cell(s) (NodeB) 142 is in network communicationwith the Radio Network Controller (RNC) 110, and the traffic ismonitored/filtered using a security platform 102 (e.g., a firewall (FW),a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below.

As also shown in FIG. 1A, HNB GW 108 and RNC 110 are each incommunication with a Packet Data Network (PDN) 122 via a Serving GPRSSupport Node (SGSN) 112 and a Gateway GPRS Support Node (GGSN) 114 of amobile (3G) core network 120 and with a Public Switched TelephoneNetwork (PSTN) 124 via a Mobile Switching Center (MSC) 116 of mobilecore network 120. As shown, the traffic passing through the mobile corenetwork between SGSN 112 and GGSN 114 of mobile core network 120 ismonitored/filtered using a security platform 102 (e.g., a firewall (FW),a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below.

For example, various UE, such as the UE shown at 132, 134, and 136, caninclude mobile and/or stationary wireless network enabled devices thatcan communicate over RAN 130 to access PDN 122, such as a securitycamera (e.g., which may be in a fixed location), a watch, mobile/smartphone, tablet, laptop, computer/PC or other computing device (which maybe mobile or at a fixed location), an automobile, a baby monitor, athermostat, and/or various other network enabled computing devices(e.g., any device associated with the Internet of Things (IoT)). Varioususe case scenarios applying the disclosed security techniques towireless network enabled devices to facilitate new and enhanced securitywill be further described below.

Thus, in this example, a network architecture for performing thedisclosed security techniques for a 3G network implementation isprovided in which a security platform(s) can be provided to performtraffic monitoring and filtering to provide new and enhanced securitytechniques based on signaling and DPI information as further describedbelow. As will now be apparent to one of ordinary skill in the art inview of the disclosed embodiments, a security platform(s) can similarlybe provided in various other locations within the network architecture(e.g., an inline, pass-through NGFW, such as shown by FW 102, and/orimplemented as agents or virtual machines (VM) instances, which can beexecuted on existing devices in the service provider's network, such asSGSN 112 and/or GGSN 114) and in various wireless network environments,such as 3G, 4G, 5G, and/or other wireless network environments toperform the disclosed security techniques as further described below. Asalso described further below, the disclosed security techniques cansimilarly be applied to roaming devices that connect to the mobile coreof the wireless network environment.

FIG. 1B is a block diagram of a 4G/LTE wireless network with a securityplatform for providing enhanced security in accordance with someembodiments. FIG. 1B is an example service provider network environmentfor a 4G/Long Term Evolution (LTE) Evolved Packet Core (EPC) networkarchitecture that includes a 4G/LTE network (e.g., and can also includeWired, Wi-Fi, 3G, 5G, and/or other networks) to facilitate datacommunications for subscribers over the Internet and/or other networks.As shown in FIG. 1B, a Radio Access Network (RAN) 180 is incommunication with an Evolved Packet Core (EPC) network 170. RAN 180 caninclude LTE Macrocell(s) 192 in the wireless network, and small cells,such as LTE Microcell(s) 194, LTE Picocell(s) 196, and LTE Femtocells198 in the wireless network. As shown, various User Equipment (UE) 182,184, and 186 can communicate using various cells in RAN 180.

As also shown in FIG. 1B, Femtocell(s) 198, is in network communicationwith a Home eNode B Gateway (HeNB GW) 158 over IP Broadband wirelessnetwork 190, and, in this example, the traffic is monitored/filteredusing a security platform 156E (e.g., a (virtual) device/appliance thatincludes a firewall (FW), a network sensor acting on behalf of thefirewall, or another device/component that can implement securitypolicies using the disclosed techniques) configured to perform thedisclosed security techniques as further described below. As also shown,Macro Cell(s) 192 is in network communication with a Mobility ManagementEntity (MME) 160 and a Serving Gateway (SGW) 162, and the traffic ismonitored/filtered using a FW 156D , and, in this example, the trafficis monitored/filtered using a security platform (e.g., a (virtual)device/appliance that includes a firewall (FW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) configuredto perform the disclosed security techniques as further described below.

As also shown in FIG. 1B, HeNB GW 158 is in communication with a PacketData Network (PDN) 172 via SGW 162 and a PDN Gateway (PGW) 164 ofEvolved Packet Core (EPC) network 170. As shown, the traffic passingthrough the mobile core network between SGW 162 and GGSN/PGW 164 of EPC170 is monitored/filtered using a security platform 152 (e.g., a(virtual) device/appliance that includes a firewall (FW), a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies using the disclosed techniques)configured to perform the disclosed security techniques as furtherdescribed below.

For example, various UEs, such as UEs shown at 174, 176, 182, 184, and186, can include mobile and/or stationary wireless network enableddevices that can communicate over RAN 180, Untrusted Non-3GPP Wi-Fiaccess 177, and/or Trusted 3GPP Wi-Fi access 178, to access PDN 172 viaEPC 170 in which such communications can be monitored using securityplatforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G as shownin FIG. 1B (e.g., the security platforms can be located at variouslocations/interfaces within EPC 170 as shown in FIG. 1B) and as furtherdescribed below. Example UEs can include a security camera (e.g., whichmay be in a fixed location), a watch, mobile/smart phone, tablet,laptop, computer/PC or other computing device (which may be mobile or ata fixed location), an automobile, a baby monitor, a thermostat, and/orvarious other network enabled computing devices (e.g., any deviceassociated with the Internet of Things (IoT)). Various use casescenarios applying the disclosed security techniques to wireless networkenabled devices to facilitate new and enhanced security will be furtherdescribed below.

Thus, in this example, a network architecture for performing thedisclosed security techniques for a 4G/LTE EPC network implementation isprovided in which a security platform(s) can be provided to performtraffic monitoring and filtering to provide new and enhanced securitytechniques based on signaling and DPI information as further describedbelow. As will now be apparent to one of ordinary skill in the art inview of the disclosed embodiments, a security platform(s) can similarlybe provided in various other locations within the network architecture(e.g., an inline, pass-through NGFW, such as shown by FW 152, and/orimplemented as agents or virtual machines (VM) instances, which can beexecuted on existing devices in the service provider's network, such asSGW 162 and/or PGW 164) and in various wireless network environments,such as 3G, 4G, 5G, and/or other wireless network environments toperform the disclosed security techniques as further described below. Asalso described further below, the disclosed security techniques cansimilarly be applied to roaming devices that connect to the mobile coreof the wireless network environment.

FIG. 2A is an example of GTPv1-C messages exchanged between an SGSN anda GGSN in a 3G network in accordance with some embodiments.Specifically, FIG. 2A shows GTPv1-C messages exchanged for activating,updating, and deactivating GTP sessions between an SGSN 212 and a GGSN214 in a 3G network using a Gn/Gp interface. GTP is a standardizedprotocol that is based on the User Datagram Protocol (UDP).

Referring to FIG. 2A, a first message that is sent from SGSN 212 to GGSN214 is a Create PDP Context Request message as shown at 220. The CreatePDP Context Request message is a message to allocate a control and datachannel for a new network communication access request for a mobiledevice in a 3G network (e.g., to be provided with a tunnel for user IPpackets for network communications over a mobile service provider'snetwork). For example, the Create PDP Context Request message caninclude location, hardware identity (e.g., IMEI), subscriber identity(e.g., IMSI), and/or radio access technology (RAT) information in thenew network communication access request for the mobile device.

In one embodiment, the security platform monitors GTP-C messages in themobile core to extract certain information included within GTP-Cmessages based on a security policy (e.g., monitoring GTPv1-C messagesusing a pass through firewall/NGFW that is located between the SGSN andGGSN in the mobile core such as shown in FIG. 1A and/or between variousother elements/entities in the mobile core/EPC such as shown in FIG. 1B,or using a firewall/NGFW implemented as VM instances or agents executedon the SGSN, GGSN, SGW, PGW, and/or other entities in the mobile corenetwork/EPC). For example, the security platform can monitor GTP-Cmessages and extract location, hardware identity (e.g., IMEI),subscriber identity (e.g., IMSI), and/or radio access technology (RAT)from the Create PDP Request message, such as further described below.

As shown in FIG. 2A, GGSN 214 sends a Create PDP Context Responsemessage as shown at 222 to SGSN 212 to indicate whether the Create PDPContext Request is granted or not for the mobile device (e.g., whetherto allow tunneled user data traffic in the mobile core network for themobile device). The Create PDP Context Request and Create PDP ContextResponse messages sent using UDP communications on port 2123 are usedfor creating the PDP context as shown in FIG. 2A.

As also shown in FIG. 2A, an Update PDP Context Request message shown at224 and an Update PDP Context Response message shown at 226 areexchanged between the SGSN and GGSN. For example, Update PDP ContextRequest/Response messages sent using UDP communications on port 2123 canbe used to update one or more parameters for the connection/session.

Referring to FIG. 2A, in this example, the request for networkcommunication access for the mobile device on the mobile serviceprovider's network is allowed, and the SGSN sends a T-PDU message(s)shown at 228. For example, TPDU message(s) can be used for mobile usernetwork communication (e.g., IP packets) inside the tunnel (e.g.,control/signaling messages are generally communicated on port 2123 usingthe GTP-C protocol, and user data messages are generally communicated onport 2152 using the GTP-U protocol). As shown at 230, T-PDU messagesgenerally include a GTP Header, IP Header, TCP Header, and HTTP payload.

As also shown in FIG. 2A, the PDP context is deleted after completion ofthe user data session. Specifically, the PDP context is deleted aftertransfer of the user data is completed and the SGSN and GGSN exchange aDelete PDP Context Request message as shown at 232 and a Delete PDPContext Response message as shown at 234. The Delete PDP Context Requestand Delete PDP Context Response messages sent using UDP communicationson port 2123 are used for deleting the PDP context as also shown in FIG.2A.

In one embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, and inspection of tunneled user traffic in service providernetworks, such as GTP-U traffic (e.g., using a security platform, suchas implemented using an NGFW that is capable of performing DPI toidentify an APP ID, a user ID, a content ID, perform URL filtering,and/or other firewall/security policy for security/threatdetection/prevention). In one embodiment, the disclosed techniquesperform inspection of signaling/control traffic in service providernetworks, such as GTP-C traffic, to extract information exchanged in theGTP-C traffic (e.g., parameters, such as location information associatedwith the subscriber/mobile device, device ID/IMEI, subscriberinformation/IMSI, and/or RAT, such as further described below). In oneembodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, to extract information exchanged in the GTP-C traffic (e.g.,parameters, such as described above and further described below) as wellas to monitor tunneled user traffic in service provider networks (e.g.,using DPI, such as described above and further described below).

In an example implementation, the security platform is configured tomonitor the respective interfaces of the SGSN and GGSN to monitorcontrol/signaling traffic (e.g., GTP-C messages) and tunneled usertraffic (GTP-U) to implement a security platform with GTP monitoringcapabilities that implements security policies, which can use, forexample, location information associated with the subscriber/mobiledevice, device ID/IMEI, subscriber information/IMSI, and/or RAT, such asfurther described below that can be extracted from control/signalingtraffic (e.g., GTP-C messages) as well as performing DPI for IP packetsinside the tunnel (e.g., TPDU), as further described below. As describedabove, the location information/parameters, hardware identity (e.g.,IMEI), subscriber identity (e.g., IMSI), and/or radio access technology(RAT), such as further described below, can be extracted from the CreatePDP Request message by the security platform, which can be stored (e.g.,cached as associated with the IP flow) for use in applying a securitypolicy based on this extracted information and/or in combination withDPI, such as further described below.

FIG. 2B is an example of GTPv2-C messages exchanged between entitiesincluding an MME, SGW, and a PGW in a 4G/LTE network in accordance withsome embodiments. Specifically, FIG. 2B shows GTPv2-C messages exchangedfor an LTE Attach procedure with details of the GTPv2-C messagesexchanged between an MME 252, SGW 254, and a PDN-GW (PGW) 256 (e.g.,shown as a GGSN/PGW in FIG. 1B) in a 4G/LTE network. As discussed above,GTP is a standardized protocol that is based on the User DatagramProtocol (UDP).

Referring to FIG. 2B, a Create Session Request message is sent from MME252 to SGW 254 as shown at 260 and then from SGW 254 to PGW 256 as shownat 262. The Create Session Request message is a message to allocate acontrol and data channel for a new network communication access requestfor a mobile device in a 4G/LTE network (e.g., to be provided with atunnel for user IP packets for network communications over a mobileservice provider's network). For example, the GTP Create Session Requestmessage can include location, hardware identity (e.g., IMEI), subscriberidentity (e.g., IMSI), and/or radio access technology (RAT) informationin the new network communication access request for the mobile device.

In one embodiment, the security platform monitors GTP-C messages betweenthe MME, SGW, and PGW to extract certain information included withinGTP-C messages based on a security policy (e.g., monitoring GTPv2-Cmessages using a pass through firewall/NGFW that is located between theMME, SGW, and PGW or using a firewall/NGFW implemented as VM instancesor agents executed on the MME, SGW, and PGW, and/or other entities inthe mobile core network). For example, the security platform can monitorGTP-C messages and extract the location, hardware identity (e.g., IMEI),subscriber identity (e.g., IMSI), and/or radio access technology (RAT)from the Create Session Request message, such as further describedbelow.

As shown in FIG. 2B, after session establishment as shown at 264, PGW256 sends a Create Session Response message as shown at 266 to SGW 254and then from SGW 254 to MME 252 as shown at 268 to indicate whether theCreate Session Request is granted or not for the mobile device (e.g.,whether to allow tunneled user data traffic in the mobile core networkfor the mobile device). The Create Session Request and Create SessionResponse messages sent using UDP communications on port 2123 are usedfor creating the initial setup context for the session as shown in FIG.2B.

As also shown in FIG. 2B, a Modify Bearer Request message shown at 270and a Modify Bearer Response message shown at 272 are exchanged betweenthe SGW and MME. For example, Modify Bearer Request/Response messagessent using UDP communications on port 2123 can be used to update one ormore parameters for the connection/session.

In one embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, and inspection of tunneled user traffic in service providernetworks, such as GTP-U traffic (e.g., using a security platform, suchas implemented using a NGFW that is capable of performing DPI toidentify an APP ID, a user ID, a content ID, perform URL filtering,and/or other firewall/security policy for security/threatdetection/prevention). In one embodiment, the disclosed techniquesperform inspection of signaling/control traffic in service providernetworks, such as GTP-C traffic, to extract information exchanged in theGTP-C traffic (e.g., parameters, such as location information associatedwith the subscriber/mobile device, device ID/IMEI, subscriberinformation/IMSI, and/or RAT, such as further described below). In oneembodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, to extract information exchanged in the GTP-C traffic (e.g.,parameters, such as described above and further described below) as wellas to monitor tunneled user traffic in service provider networks (e.g.,using DPI, such as described above and further described below).

In an example implementation, the security platform is configured tomonitor the respective interfaces of the MME, SGW, and PGW to monitorcontrol/signaling traffic (e.g., GTP-C messages) and tunneled usertraffic (GTP-U) to implement a security platform with GTP monitoringcapabilities that implements security policies, which can use, forexample, parameters, such as location information associated with thesubscriber/mobile device, device ID/IMEI, subscriber information/IMSI,and/or RAT, and/or any other parameters/information that can beextracted from control/signaling traffic (e.g., GTP-C messages) as wellas performing DPI for IP packets inside the tunnel, as further describedbelow. As described above, the location information/parameters, hardwareidentity (e.g., IMEI), subscriber identity (e.g., IMSI), and/or radioaccess technology (RAT) can be extracted from the Create Session Requestmessage by the security platform, which can be stored (e.g., cached asassociated with the IP flow) for use in applying a security policy basedon this extracted information and/or in combination with DPI, such asfurther described below.

The disclosed techniques are illustrated and generally described hereinwith respect to performing network traffic inspection of GTPv1-C andGTP-U traffic in a 3G Mobile Packet Core (MPC) and in a 4G EvolvedPacket Core (EPC) using the GTPv2-C and GTP-U protocols, and/or can besimilarly implemented in other mobile core networks/using other mobilenetwork protocols (e.g., such as for 5G core networks or other mobilenetworks/protocol) that include location, device, subscriber, and/or RATparameters/information (e.g., location information, hardware identity,subscriber identifier information, RAT type information and/or otheruser/device/network specific parameters in the respective protocols)and/or tunneled user traffic on service provider networks for mobiledevice communications.

FIG. 3A is another example of a GTPv1-C message flow between an SGSN anda GGSN in a 3G network in accordance with some embodiments.Specifically, FIG. 3A shows GTPv1-C messages exchanged for a GTPv1-CCreate PDP Message flow between an SGSN 302 and a GGSN 304 in a 3Gnetwork.

Referring to FIG. 3A, a Create PDP Request message is sent from SGSN 302to GGSN 304 using the Gn/Gp interface as shown at 310. A Create PDPResponse message is sent from GGSN 304 to SGSN 302 using the Gn/Gpinterface as shown at 312.

FIG. 3B is another example of a GTPv2-C message flow between an MME,SGW, and a PGW in a 4G/LTE network in accordance with some embodiments.Specifically, FIG. 3B shows GTPv2-C messages exchanged for a GTPv2-CCreate Session Message flow between an MME 322, SGW 324, and a PDN-GW(PGW) 326 (e.g., shown as a GGSN/PGW in FIG. 1B) in a 4G/LTE network.

Referring to FIG. 3B, a Create Session Request message is sent from MME322 to SGW 324 using the S11 interface as shown at 330 and then from SGW324 to PGW 326 using the S5/S8 interface as shown at 332. A CreateSession Response message is sent from PGW 326 to SGW 324 using the S5/S8interface as shown at 334 and then from SGW 324 to MME 322 using the S11interface as shown at 336.

As will now be further described below, various information/parameters,such as location, hardware identity (e.g., IMEI), subscriber identity(e.g., IMSI), and/or radio access technology (RAT) can be extracted fromthe control/signaling traffic (e.g., GTPv1-C Create PDP Requestmessages, GTPv2-C Create Session Request messages, and/or othercontrol/signaling protocols/messages in a mobile core network) monitoredby the security platform, which can be stored (e.g., cached asassociated with the IP flow) for use in applying a security policy basedon this extracted information and/or in combination with DPI performedby the security platform on tunneled user data traffic (e.g., GTP-Utraffic and/or other tunneled user data protocols in a mobile corenetwork).

Techniques for Location Based Security in Mobile Networks for ServiceProviders

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing location basedsecurity in mobile networks for service providers. For example, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can apply the disclosed techniques to provide locationbased security to user devices (e.g., mobile devices of subscribers)and/or IoT devices that connect to their mobile network using 3G, 4G, or5G Radio Access Technology (RAT).

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced location based security services.For example, mobile service providers can apply the disclosed techniquesto provide a location based firewall service. As another example, mobileservice providers can apply the disclosed techniques to provide alocation based threat detection service (e.g., a location based, basicthreat detection service for known threats, a location based, advancedthreat detection service for unknown threats, and/or other threatdetection services that can utilize location based information to applysecurity policies). As yet another example, mobile service providers canapply the disclosed techniques to provide a location based threatprevention service for known threats (e.g., a location based, basicthreat prevention service for known threats, a location based, advancedthreat prevention service for unknown threats, and/or other threatprevention services that can utilize location based information to applysecurity policies). As an additional example, mobile service providerscan apply the disclosed techniques to provide a location based URLfiltering service.

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include performing location basedsecurity in mobile networks using a security platform that can implementsecurity policies based on location information. For example, a securityplatform can monitor GTP-C traffic in a mobile network and process(e.g., parse) GTP-C messages to extract location information (e.g.,location information can be extracted from a Create PDP Request messagesent from an SGSN to a GGSN in a mobile core network).

As similarly described above, GPRS Tunneling Protocol (GTP) is a groupof IP-based communication protocols used on various interfaces withinthe Global System for Mobile Communication (GSM), Universal MobileTelecommunications System (UMTS), and Long Term Evolution (LTE) network.GTPv1-C and GTPv2-C are used in today's mobile networks (e.g., GTPv1-Cand GTPv2-C are generally used in today's 3G and 4G/LTE mobile networks,respectively).

In one embodiment, a security platform is configured to extract userlocation information from a GTPv1-C Create PDP Request (e.g., in a 3Gmobile network). In one embodiment, a security platform is configured toextract user location information from a GTPv2-C Create Session (e.g.,in a 4G mobile network).

For example, such a Request message can generally be sent by variousnetwork elements in a mobile network (e.g., Serving Gateway (SGW),Mobility Management Entity (MME), and/or other network elements in themobile network). Also, such a Request message can generally be sent onvarious interfaces (e.g., S11, S5/S8, S4, and/or other interfaces in themobile network as part of many procedures, such as an E-UTRAN initialattach, UE requested PDN connectivity, PDP content activation, handoverfrom trusted or untrusted non-3gpp IP access to E-UTRAN, and/or otherprocedures). The user Location Information Element (IE) is generallypresent in a GTPv2-C Create Session Request message as specified in 3GPPTS 29.274.

In one embodiment, the security platform can extract locationidentifiers (e.g., Location IEs) (e.g., supported by GTPv1-C, GTPv2-C,or other network protocols) that can be used to apply security in mobilenetworks for service providers. Example location identifiers supportedby GTPv2-C that can be used to apply security in mobile networks forservice providers include the following: CGI (Cell Global Identifier),SAI (Service Area Identifier), RAI (Routing Area Identifier), TAI(Tracking Area Identifier), ECGI (E-UTRAN Cell Global Identifier), LAC(Location Area Identifier), and/or other location identifiers orcombinations thereof. Specifically, CGI (Cell Global Identifier)generally provides location information that includes the followingparameters: MCC (Mobile Country Code), MNC (Mobile Network Code), LAC(Location Area Code), and CI (Cell Identity) (e.g., CI is generally anarea of several hundreds of meters within the base station). SAI(Service Area Identifier) generally provides location information thatincludes the following parameters: MCC, MNC, LAC, and SAC (Service AreaCode). RAI (Routing Area Identifier) generally provides locationinformation that includes the following parameters: MCC, MNC, LAC, andRAC (Routing Area Code). TAI (Tracking Area Identifier) generallyprovides location information that includes the following parameters:MCC, MNC, and TAC (Tracking Area Code). ECGI (E-UTRAN Cell GlobalIdentifier) generally provides location information that corresponds toMCC, MNC, and ECI (E-UTRAN Cell Identifier). LAC (Location AreaIdentifier) generally provides location information that includes thefollowing parameters: MCC, MNC, and LAC.

For example, the security platform can monitor GTPv2-C Create SessionRequest messages to extract such location parameters. Specifically, CGI,SAI, RAI, TAI ECGI, and LAC are included as parameters that can beextracted from a GTPv2-C Create Session Request message. In some cases,the GTPv2-C Create Session Request message can include two or more ofsuch location parameters (e.g., CGI and SAI). Example use case scenariosfor enhanced security that can be performed on mobile networks forservice providers using such location information are further describedbelow (e.g., a fire emergency use case scenario that uses locationinformation to restrict flying drones from being used in a specific areaby/near the fire emergency as further described below).

As another example, the security platform can extract user locationinformation from GTPv1-C Create PDP Request messages, which aregenerally sent from an SGSN node to a GGSN node as a part of the GPRSPDP Context Activation procedure as similarly described herein withrespect to FIG. 2A. The user Location Information Element (IE) isgenerally present in a GTPv1-C Create PDP Context Request message asspecified in 3GPP TS 29.060. Example location identifiers supported byGTPv1-C that can be used to apply security in mobile networks forservice providers include the following: CGI (Cell Global Identifier),SAI (Service Area Identifier), and RAI (Routing Area Identifier), and/orother location identifiers or combinations thereof. Specifically, CGI(Cell Global Identifier) generally provides location information thatincludes the following parameters: MCC (Mobile Country Code), MNC(Mobile Network Code), LAC (Location Area Code), and CI (Cell Identity)(e.g., CI is generally an area of several hundreds of meters within thebase station). SAI (Service Area Identifier) generally provides locationinformation that includes the following parameters: MCC, MNC, LAC, andSAC (Service Area Code). RAI (Routing Area Identifier) generallyprovides location information that includes the following parameters:MCC, MNC, LAC, and RAC (Routing Area Code).

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing location basedsecurity in mobile networks using a security platform that can implementsecurity policies based on location information.

In one embodiment, the security platform can extract locationinformation to perform security based on a security policy that can beapplied based on the location information (e.g., per CGI, SAI, RAI, TAI,ECGI, and/or LAC in the mobile network). In one embodiment, the securityplatform can extract location information to perform threat detectionbased on a security policy that can be applied based on the locationinformation (e.g., per CGI, SAI, RAI, TAI, ECGI, and/or LAC in themobile network).

In one embodiment, the security platform can extract locationinformation to perform threat prevention based on a security policy thatcan be applied based on the location information (e.g., per CGI, SAI,RAI, TAI, ECGI, and/or LAC in the mobile network).

In one embodiment, the security platform can extract locationinformation to perform URL filtering based on a security policy that canbe applied based on the location information (e.g., per CGI, SAI, RAI,TAI, ECGI, and/or LAC in the mobile network).

In one embodiment, the security platform can extract locationinformation to perform threat detection, threat prevention, URLfiltering, and/or other security techniques (e.g., including usingDPI-based security techniques from monitored tunneled user traffic)based on a security policy that can be applied based on the locationinformation (e.g., per CGI, SAI, RAI, TAI, ECGI, and/or LAC in themobile network).

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these location based firewallservices or combinations thereof as well as various other location basedservices using the disclosed techniques. Also, mobile service providerscan apply the disclosed techniques to provide such location basedfirewall services in combination with various other enhanced securityservices, such as subscriber/user identity based, hardware identitybased, RAT based, and/or combinations thereof, as further describedbelow.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on location information (e.g.,and/or in combination with other DPI and/or NGFW techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.) will befurther described below.

Techniques for Mobile Equipment Identity and/or IoT Equipment IdentityBased Security Enforcement in Mobile Networks for Service Providers

As discussed above, the International Mobile Equipment Identity (IMEI)is a unique identifier (e.g., a 16 or 15 digit code) that is generallyused to identify a mobile device (e.g., a hardware device) to a mobilenetwork (e.g., a GSM or UMTS network). For example, the IMEI can providea unique hardware identifier (ID) for a mobile device/station, includinga mobile/smart phone, laptop, tablet, or other computing device, or anIoT device, or any other device that has a Subscriber Identity Module(SIM) card or Embedded-SIM/Embedded Universal Integrated Circuit Card(eUICC) and communicates on a mobile network or any other device (e.g.,a GSM or UMTS network). In an example implementation, Mobile EquipmentIdentity/IMEI and/or IoT Equipment identity (e.g., IMEI or IMEISV) asdefined in 3GPP TS 23.003, and Application-ID based security that can beimplemented using a NGFW by parsing GTP-C messages for IMEI/IMEISVinformation and inspecting tunneled traffic (e.g., DPI of GTP-U traffic)are further described herein.

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing a mobile deviceidentifier based security in mobile networks for service providers. Forexample, mobile service providers can apply the disclosed techniques toprovide mobile device identifier based security (e.g., in combinationwith Application-ID using a NGFW) to user devices (e.g., mobile devicesof subscribers) and/or IoT devices that connect to their mobile networkusing 3G, 4G, or 5G Radio Access Technology (RAT).

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing enhancedsecurity in mobile networks for service providers using a mobile deviceidentifier and Application-ID. For example, mobile service providers canapply the disclosed techniques to provide enhanced security to userdevices (e.g., mobile devices of subscribers) and/or IoT devices thatconnect to their mobile network using 3G, 4G, or 5G Radio AccessTechnology (RAT) based on a mobile device identifier and Application-ID(e.g., an Application-ID can be determined by a security platformmonitoring tunneled user traffic that is inspected using DPI techniquesimplemented by a NGFW as further described below).

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced security services using a mobiledevice identifier and/or using a mobile device identifier andApplication-ID. For example, mobile service providers can apply thedisclosed techniques to provide a firewall service using a mobile deviceidentifier and Application-ID. As another example, mobile serviceproviders can apply the disclosed techniques to provide a threatdetection service using a mobile device identifier and Application-ID(e.g., a mobile device identifier based, basic threat detection servicefor known threats, a mobile device identifier based, advanced threatdetection service for unknown threats, and/or other threat detectionservices that can utilize mobile device identifier based information toapply security policies). As yet another example, mobile serviceproviders can apply the disclosed techniques to provide a threatprevention service for known threats using a mobile device identifierand Application-ID (e.g., a mobile device identifier based, basic threatprevention service for known threats, a mobile device identifier based,advanced threat prevention service for unknown threats, and/or otherthreat prevention services that can utilize mobile device identifierbased information to apply security policies). As an additional example,mobile service providers can apply the disclosed techniques to provide aURL filtering service using a mobile device identifier andApplication-ID. As a further example, mobile service providers can applythe disclosed techniques to provide an application Denial of Service(DoS) detection service for DoS attacks using a mobile device identifierand Application-ID. As another example, mobile service providers canapply the disclosed techniques to provide an application Denial ofService (DoS) prevention service for DoS attacks using a mobile deviceidentifier and Application-ID.

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include performing mobile deviceidentifier based security in mobile networks using a security platformthat can implement security policies based on mobile device identifierinformation. For example, a security platform can monitor GTP-C trafficin a mobile network and process (e.g., parse) GTP-C messages to extractmobile device identifier information (e.g., mobile device identifierinformation, such as IMEI, can be extracted from a Create PDP Requestmessage in a 3G mobile network or a Create Session Request message in a4G mobile network).

As similarly described above, GPRS Tunneling Protocol (GTP) is a groupof IP-based communication protocols used on various interfaces withinthe Global System for Mobile Communication (GSM), Universal MobileTelecommunications System (UMTS), and Long Term Evolution (LTE) network.GTPv1-C and GTPv2-C are used in today's mobile networks (e.g., GTPv1-Cand GTPv2-C are generally used in today's 3G and 4G/LTE mobile networks,respectively).

In one embodiment, a security platform is configured to extract mobiledevice identifier information (e.g., IMEI or IMEISV) from a GTPv1-CCreate PDP Request (e.g., in a 3G mobile network). In one embodiment, asecurity platform is configured to extract mobile device identifierinformation (e.g., IMEI or IMEISV) from a GTPv2-C Create Session (e.g.,in a 4G mobile network).

For example, a GTPv2-C Create Session Request message can generally besent by various network elements in a mobile network (e.g., ServingGateway (SGW), Mobility Management Entity (MME), and/or other networkelements in the mobile network) as similarly described herein withrespect to FIG. 2B. Also, such a Create Session Request message cangenerally be sent on various interfaces (e.g., S11, S5/S8, S4, and/orother interfaces in the mobile network as part of many procedures, suchas an E-UTRAN initial attach, UE requested PDN connectivity, PDP contentactivation, handover from trusted or untrusted non-3GPP IP access toE-UTRAN, and/or other procedures). The IMEI Information Element (IE) isgenerally present in a GTPv2-C Create Session Request message asspecified in 3GPP TS 29.274.

As another example, the security platform can extract mobile deviceidentifier information (e.g., IMEI or IMEISV) from GTPv1-C Create PDPRequest messages, which are generally sent from an SGSN node to a GGSNnode as a part of the GPRS PDP Context Activation procedure as similarlydescribed herein with respect to FIG. 2A.

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing security in mobilenetworks using a security platform that can implement security policies(e.g., for users/subscribers of the mobile network) based on IMEI andApplication-ID. In addition, the disclosed techniques for enhancedsecurity in mobile networks for service providers include performingsecurity in mobile networks using a security platform that can implementsecurity policies (e.g., for mobile devices and/or IoT devices) based onIMEI and Application-ID.

In one embodiment, the security platform can extract mobile deviceidentifier information (e.g., IMEI or IMEISV) to perform security basedon a security policy that can be applied based on the mobile deviceidentifier information. In one embodiment, the security platform canextract mobile device identifier information (e.g., IMEI or IMEISV) andperform DPI to identify an Application-ID to perform security based on asecurity policy that can be applied based on the mobile deviceidentifier information and Application-ID.

In one embodiment, the security platform can extract mobile deviceidentifier information (e.g., IMEI or IMEISV) and perform DPI toidentify an Application-ID to perform security based on a securitypolicy that can be applied based on the mobile device identifierinformation and Application-ID. For example, the security platform canperform threat detection by applying a security policy per IMEI andApplication-ID in mobile and converged networks using the disclosedtechniques. As another example, the security platform can perform threatprevention by applying a security policy per IMEI and Application-ID inmobile and converged networks using the disclosed techniques. As yetanother example, the security platform can perform URL filtering byapplying a security policy per IMEI and Application-ID in mobile andconverged networks using the disclosed techniques. Example use casescenarios for enhanced security that can be performed on mobile networksfor service providers using such mobile device identifier information(e.g., IMEI or IMEISV) and Application-ID are further described below(e.g., a service provider can restrict remote access to a networkenabled thermostat that was determined to be compromised as furtherdescribed below).

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these mobile device identifierbased firewall services or combinations thereof as well as various othermobile device identifier based services using the disclosed techniques.Also, mobile service providers can apply the disclosed techniques toprovide such using a mobile device identifier based firewall services incombination with various other enhanced security services, such aslocation based, subscriber/user identity based, RAT based, and/orcombinations thereof, as further described below.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on mobile device identifierinformation and Application-ID (e.g., and/or other DPI and/or NGFWtechniques, such as user ID, content ID, URL filtering, etc.) will befurther described below.

Techniques for Mobile User Identity and/or SIM-Based IoT Identity andApplication Identity Based Security Enforcement in Mobile Networks forService Providers

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing a mobile useridentity and/or SIM-based IoT identity based security in mobile networksfor service providers. For example, mobile service providers can applythe disclosed techniques to provide mobile user identity and/orSIM-based IoT identity based security (e.g., in combination withApplication-ID using a NGFW) to user devices (e.g., mobile devices ofsubscribers that include a Subscriber Identity Module (SIM) card or anEmbedded-SIM/Embedded Universal Integrated Circuit Card (eUICC)) thatconnect to their mobile network using 3G, 4G, or 5G Radio AccessTechnology (RAT).

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing enhancedsecurity in mobile networks for service providers using a mobile useridentity and Application-ID. For example, mobile service providers canapply the disclosed techniques to provide enhanced security to userdevices (e.g., mobile devices of subscribers) and/or IoT devices thatconnect to their mobile network using 3G, 4G, or 5G Radio AccessTechnology (RAT) based on a mobile user identity and/or SIM-based IoTidentity (e.g., International Mobile Subscriber Identity (IMSI) or othermobile user identifier) and Application-ID (e.g., an Application-ID canbe determined by a security platform monitoring tunneled user trafficthat is inspected using DPI techniques implemented by a NGFW as furtherdescribed below).

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced security services using a mobileuser identity and/or using a mobile user identity and Application-ID.For example, mobile service providers can apply the disclosed techniquesto provide a firewall service using a mobile user identity (e.g., IMSIor other mobile user identity) and Application-ID. As another example,mobile service providers can apply the disclosed techniques to provide athreat detection service using a mobile user identity and Application-ID(e.g., a mobile user identity based, basic threat detection service forknown threats, a mobile user identity based, advanced threat detectionservice for unknown threats, and/or other threat detection services thatcan utilize mobile user identity based information to apply securitypolicies). As yet another example, mobile service providers can applythe disclosed techniques to provide a threat prevention service forknown threats using a mobile user identity and Application-ID (e.g., amobile user identity based, basic threat prevention service for knownthreats, a mobile user identity based, advanced threat preventionservice for unknown threats, and/or other threat prevention servicesthat can utilize mobile user identity based information to applysecurity policies). As an additional example, mobile service providerscan apply the disclosed techniques to provide a URL filtering serviceusing a mobile user identity and Application-ID. As a further example,mobile service providers can apply the disclosed techniques to providean application Denial of Service (DoS) detection service for DoS attacksusing a mobile user identity and Application-ID. As another example,mobile service providers can apply the disclosed techniques to providean application Denial of Service (DoS) prevention service for DoSattacks using a mobile user identity and Application-ID.

As similarly described above, GPRS Tunneling Protocol (GTP) is a groupof IP-based communication protocols used on various interfaces withinthe Global System for Mobile Communication (GSM), Universal MobileTelecommunications System (UMTS), and Long Term Evolution (LTE) network.GTPv1-C and GTPv2-C are used in today's mobile networks (e.g., GTPv1-Cand GTPv2-C are generally used in today's 3G and 4G/LTE mobile networks,respectively).

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include performing mobile useridentity and/or SIM-based IoT identity based security in mobile networksusing a security platform that can implement security policies based onmobile user identity and/or SIM-based IoT identity information andApplication-ID. For example, a security platform can monitor GTP-Ctraffic in a mobile network and process (e.g., parse) GTP-C messages toextract mobile user identity and/or SIM-based IoT identity (e.g., mobileuser identifier information, such as IMSI, can be extracted from aCreate PDP Request message in a 3G mobile network or a Create SessionRequest message in a 4G mobile network).

In one embodiment, a security platform is configured to extract mobileuser identity information (e.g., IMSI) from a GTPv1-C Create PDP Request(e.g., in a 3G mobile network). In one embodiment, a security platformis configured to extract mobile user identity information (e.g., IMSI)from a GTPv2-C Create Session (e.g., in a 4G mobile network).

For example, a GTPv2-C Create Session Request message can generally besent by various network elements in a mobile network (e.g., ServingGateway (SGW), Mobility Management Entity (MME), and/or other networkelements in the mobile network) as similarly described herein withrespect to FIG. 2B. Also, such a Request message can generally be senton various interfaces (e.g., S11, S5/S8, S4, and/or other interfaces inthe mobile network as part of many procedures, such as an E-UTRANinitial attach, UE requested PDN connectivity, PDP content activation,handover from trusted or untrusted non-3GPP IP access to E-UTRAN, and/orother procedures). The IMSI Information Element (IE) is generallypresent in a GTPv2-C Create Session Request message as specified in 3GPPTS 29.274.

As another example, the security platform can extract mobile useridentity information (e.g., IMSI) from GTPv1-C Create PDP Requestmessages, which are generally sent from an SGSN node to a GGSN node as apart of the GPRS PDP Context Activation procedure as similarly describedherein with respect to FIG. 2A.

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing security in mobilenetworks using a security platform that can implement security policies(e.g., for users/subscribers of the mobile network) based on IMSI andApplication-ID. In addition, the disclosed techniques for enhancedsecurity in mobile networks for service providers include performingsecurity in mobile networks using a security platform that can implementsecurity policies (e.g., for mobile devices and/or IoT devices thatinclude a SIM or embedded SIM) based on IMSI and Application-ID.

In one embodiment, the security platform can extract mobile useridentity information (e.g., IMSI) to perform security based on asecurity policy that can be applied based on the mobile user identityinformation. In one embodiment, the security platform can extract mobileuser identity information (e.g., IMSI) and perform DPI to identify anApplication-ID to perform security based on a security policy that canbe applied based on the mobile user identity information andApplication-ID.

In one embodiment, the security platform can extract mobile useridentity information (e.g., IMSI) and perform DPI to identify anApplication-ID to perform security based on a security policy that canbe applied based on the mobile user identity information andApplication-ID. For example, the security platform can perform threatdetection by applying a security policy per IMSI and Application-ID inmobile and converged networks using the disclosed techniques. As anotherexample, the security platform can perform threat prevention by applyinga security policy per IMSI and Application-ID in mobile and convergednetworks using the disclosed techniques. As yet another example, thesecurity platform can perform URL filtering by applying a securitypolicy per IMSI and Application-ID in mobile and converged networksusing the disclosed techniques. Example use case scenarios for enhancedsecurity that can be performed on mobile networks for service providersusing such mobile user identity information (e.g., IMSI) andApplication-ID are further described below (e.g., a service provider canblock access to a resource, such as a device or application for thedevice, based on mobile user identity information as further describedbelow).

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these mobile user identity basedfirewall services or combinations thereof as well as various othermobile user identity based services using the disclosed techniques.Also, mobile service providers can apply the disclosed techniques toprovide such using a mobile user identity based firewall services incombination with various other enhanced security services, such aslocation based, mobile device identifier based, RAT based, and/orcombinations thereof, as further described below.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on mobile user identity informationand Application-ID (e.g., and/or other DPI and/or NGFW techniques, suchas user ID, content ID, URL filtering, etc.) will be further describedbelow.

Techniques for Radio Access Technology Based Security Enforcement inMobile Networks for Service Providers

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing a Radio AccessTechnology (RAT) based security in mobile networks for serviceproviders. For example, mobile service providers can apply the disclosedtechniques to provide RAT based security (e.g., in combination withApplication-ID using a NGFW) to user devices that connect to theirmobile network using 3G, 4G, or 5G Radio Access Technology (RAT).

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing RAT basedsecurity in mobile networks for service providers. For example, mobileservice providers can apply the disclosed techniques to provide RATbased security to user devices (e.g., mobile devices of subscribers)and/or IoT devices that connect to their mobile network using 3GPP RATor non-3GPP RAT.

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced security services based on RAT.For example, mobile service providers can apply the disclosed techniquesto provide a RAT based firewall service. As another example, mobileservice providers can apply the disclosed techniques to provide a threatdetection service using RAT information (e.g., a RAT based, basic threatdetection service for known threats, a RAT based, advanced threatdetection service for unknown threats, and/or other threat detectionservices that can utilize RAT based information to apply securitypolicies). As yet another example, mobile service providers can applythe disclosed techniques to provide a threat prevention service forknown threats using RAT information (e.g., a RAT based, basic threatprevention service for known threats, a RAT based, advanced threatprevention service for unknown threats, and/or other threat preventionservices that can utilize RAT based information to apply securitypolicies). As an additional example, mobile service providers can applythe disclosed techniques to provide a URL filtering service using RATinformation.

As similarly described above, GPRS Tunneling Protocol (GTP) is a groupof IP-based communication protocols used on various interfaces withinthe Global System for Mobile Communication (GSM), Universal MobileTelecommunications System (UMTS), and Long Term Evolution (LTE) network.GTPv1-C and GTPv2-C are used in today's mobile networks (e.g., GTPv1-Cand GTPv2-C are generally used in today's 3G and 4G/LTE mobile networks,respectively).

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include performing RAT basedsecurity in mobile networks using a security platform that can implementsecurity policies based on RAT information. For example, a securityplatform can monitor GTP-C traffic in a mobile network and process(e.g., parse) GTP-C messages to extract RAT information.

In one embodiment, a security platform is configured to extract RATinformation from a GTPv2-C Create Session (e.g., in a 4G mobilenetwork). For example, a GTPv2-C Create Session Request message cangenerally be sent by various network elements in a mobile network (e.g.,Serving Gateway (SGW), Mobility Management Entity (MME), and/or othernetwork elements in the mobile network) as similarly described hereinwith respect to FIG. 2B. Also, such a Create Session Request message cangenerally be sent on various interfaces (e.g., S11, S5/S8, S4, and/orother interfaces in the mobile network as part of many procedures, suchas an E-UTRAN initial attach, UE requested PDN connectivity, PDP contentactivation, handover from trusted or untrusted non-3GPP IP access toE-UTRAN, and/or other procedures). The RAT Information Element (IE) isgenerally present in a GTPv2-C Create Session Request message asspecified in 3GPP TS 29.274. For example, the RAT IE can be set to 3GPPaccess or to non-3GPP access that the User Equipment (UE) is using toattach to the mobile network.

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include performing RAT basedsecurity in mobile networks using a security platform that can implementsecurity policies based on RAT information (e.g., RAT Types supported byGTPv2-C). Example RAT Types supported by GTPv2-C include the following:UTRAN (e.g., RAT Type value=1), GERAN (e.g., RAT Type value=2), WLAN(e.g., RAT Type value=3), GAN (e.g., RAT Type value=4), HSPA Evolution(e.g., RAT Type value=5), EUTRAN (WB-E-UTRAN) (e.g., RAT Type value=6),Virtual (e.g., RAT Type value=7), and EUTRAN-NB-IoT (e.g., RAT Typevalue=8).

In one embodiment, a security platform is configured to extract RATinformation from a GTPv1-C Create PDP Request message (e.g., in a 3Gmobile network). For example, the security platform can extract RATinformation from GTPv1-C Create PDP Request messages, which aregenerally sent from an SGSN node to a GGSN node as a part of the GPRSPDP Context Activation procedure as similarly described herein withrespect to FIG. 2A.

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing security in mobilenetworks using a security platform that can implement security policiesbased on RAT information. In one embodiment, the security platform canextract RAT information to perform security based on a security policythat can be applied based on the RAT information. For example, thesecurity platform can perform threat detection by applying a securitypolicy per RAT Type in mobile and converged networks using the disclosedtechniques. As another example, the security platform can perform threatprevention by applying a security policy per RAT Type in mobile andconverged networks using the disclosed techniques. As yet anotherexample, the security platform can perform URL filtering by applying asecurity policy per RAT Type in mobile and converged networks using thedisclosed techniques. Example use case scenarios for enhanced securitythat can be performed on mobile networks for service providers using RATinformation are further described below (e.g., a Tier-1 cellular/mobileservice provider that leases 3G (but not 4G) cellular/mobile networkaccess to a Tier-2 service provider can configure the disclosed securityplatform to utilize RAT information to allow access to their 3G networkfor users/subscribers to the Tier-2 cellular/mobile service provider butrestrict/not allow access to their 4G network for suchusers/subscribers, such as further described below).

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these RAT based firewall servicesor combinations thereof as well as various other RAT based servicesusing the disclosed techniques. Also, mobile service providers can applythe disclosed techniques to provide such using RAT based firewallservices in combination with various other enhanced security services,such as location based, mobile device identifier based, mobile useridentifier based, and/or combinations thereof, as further describedbelow.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on RAT information (e.g., and/or incombination with various DPI and/or NGFW techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.) will befurther described below.

Example Use Cases of Enhanced Security for Mobile/Service ProviderNetworks Using a Security Platform for Security Policy Enforcement

FIG. 4A is an example use case of providing enhanced security forroaming access in a 3G network in accordance with some embodiments.Specifically, FIG. 4A shows a network placement of a security platform,shown as a Roaming Firewall 402, between a GGSN 404 and an SGSN 406 in a3G network.

Referring to FIG. 4A, a Create PDP Request message (e.g., and/or othercontrol/signaling messages) for a roaming subscriber, shown as RoamingSubscribers 408, sent from SGSN 406 to GGSN 404 using the Gp interfaceand the GTPv1-C protocol (e.g., and/or tunneled user data communicationsusing the GTP-U protocol) can be monitored using Roaming Firewall 402 asshown. For example, various security policies can be enforced by RoamingFirewall 402 based on parameters/information extracted from such GTPv1-Cmessages and/or user data communications in GTP-U traffic using thedisclosed techniques (e.g., roaming subscribers generally can have adistinct security policy enforced that is different than a securitypolicy enforced for non-roaming subscribers, roaming subscribers mayhave access restricted based on RAT Type, roaming subscribers may haveaccess restricted based on RAT Type and Application-ID (and/or other DPIdetermined information, such as Content-ID, User-ID, URL, etc.), and/orvarious other security policies can be enforced).

FIG. 4B is an example use case of providing enhanced security forroaming access in a 4G/LTE network in accordance with some embodiments.Specifically, FIG. 4B shows a network placement of a security platform,shown as a Roaming Firewall 410, between a PGW 412 and an SGW 414 andMME 416 in a 4G/LTE network.

Referring to FIG. 4B, a Create Session Request message (e.g., and/orother control/signaling messages) for a roaming subscriber, shown asRoaming Subscribers 418, sent from MME 416 to SGW 414 using the S11interface and then to PGW 412 using the S8 interface and the GTPv2-Cprotocol (e.g., and/or tunneled user data communications using the GTP-Uprotocol) can be monitored using Roaming Firewall 410 as shown. Forexample, various security policies can be enforced by Roaming Firewall410 based on parameters/information extracted from such GTPv2-C messagesand/or user data communications in GTP-U traffic using the disclosedtechniques (e.g., roaming subscribers generally can have a distinctsecurity policy enforced that is different than a security policyenforced for non-roaming subscribers, roaming subscribers may haveaccess restricted based on RAT Type, roaming subscribers may have accessrestricted based on RAT Type and Application-ID (and/or other DPIdetermined information, such as Content-ID, User-ID, URL, etc.), and/orvarious other security policies can be enforced).

FIG. 4C is an example use case of providing enhanced security forroaming access in a mixed 3G and 4G/LTE network in accordance with someembodiments. Specifically, FIG. 4C shows a network placement of asecurity platform, shown as a Roaming Firewall 420, between a GGSN 422and an SGSN 424 in a 3G network. FIG. 4C also shows a network placementof Roaming Firewall 420 between a PGW 426 and an SGW 428 in a 4G/LTEnetwork.

Referring to FIG. 4C, a Create Session/PDP Request messages (e.g.,and/or other control/signaling messages) for a roaming subscriber, shownas Roaming Subscribers 430, sent using the Gp/S8 interfaces and theGTPv1-C/GTPv2-C protocols (e.g., and/or tunneled user datacommunications using the GTP-U protocol) can be monitored using RoamingFirewall 420 as shown and as similarly described above. For example,various security policies can be enforced by Roaming Firewall 420 basedon parameters/information extracted from such GTPv1-C/GTPv2-C messagesand/or user data communications in GTP-U traffic using the disclosedtechniques (e.g., roaming subscribers generally can have a distinctsecurity policy enforced that is different than a security policyenforced for non-roaming subscribers, roaming subscribers may haveaccess restricted based on RAT Type (such as roaming users may berestricted to only access the 3G network in the H-PLMN (Home Network) asshown in FIG. 4C), roaming subscribers may have access restricted basedon RAT Type and Application-ID (and/or other DPI determined information,such as Content-ID, User-ID, URL, etc.), and/or various other securitypolicies can be enforced).

FIG. 4D is an example use case of providing enhanced security for mobileaccess in a 4G/LTE network in accordance with some embodiments.Specifically, FIG. 4D shows a network placement of a security platform,shown as a RAN Firewall 432, between an SGW 434 and an MME 436 in a4G/LTE network.

Referring to FIG. 4D, a Create Session Request message (e.g., and/orother control/signaling messages) for a mobile subscriber in a homenetwork, shown as Mobile Subscribers 440, sent from MME 436 to SGW 434using the S11 interface (e.g., and/or tunneled user data communicationsusing the GTP-U protocol) can be monitored using RAN Firewall 432 asshown. For example, various security policies can be enforced by RANFirewall 432 based on parameters/information extracted from such GTPv2-Cmessages and/or user data communications in GTP-U traffic using thedisclosed techniques (e.g., mobile subscribers generally can have adistinct security policy enforced based on a location, deviceidentifier, subscriber identity, and/or RAT associated with the mobilesubscribers, mobile subscribers also generally can have a distinctsecurity policy enforced based on a location, device identifier,subscriber identity, and/or RAT associated with the mobile subscribersin combination with Application-ID (and/or other DPI determinedinformation, such as Content-ID, User-ID, URL, etc.), and/or variousother security policies can be enforced).

FIG. 4E is an example use case of providing enhanced security fornon-3GPP access in a 4G/LTE network in accordance with some embodiments.Specifically, FIG. 4E shows a network placement of a security platform,shown as a Non-3GPP Access Firewall 442, between a between a PGW 444 andan evolved Packet Data Gateway (ePDG) 446 and a Trusted Wi-Fi AccessGateway (TWAG) 448 in a 4G/LTE network.

Referring to FIG. 4E, a Create Session Request message (e.g., and/orother control/signaling messages) for a mobile subscriber in anuntrusted non-3GPP Access Network or from a mobile subscriber in atrusted 3GPP Access Network (e.g., and/or tunneled user datacommunications using the GTP-U protocol) can be monitored using Non-3GPPAccess Firewall 442 as shown. For example, various security policies canbe enforced by Non-3GPP Access Firewall 442 based onparameters/information extracted from such GTPv2-C messages and/or userdata communications in GTP-U traffic using the disclosed techniques(e.g., mobile subscribers generally can have a distinct security policyenforced based on a location, device identifier, subscriber identity,and/or RAT associated with the mobile subscribers, mobile subscribersalso generally can have a distinct security policy enforced based on alocation, device identifier, subscriber identity, and/or RAT associatedwith the mobile subscribers in combination with Application-ID (and/orother DPI determined information, such as Content-ID, User-ID, URL,etc.), and/or various other security policies can be enforced).

FIG. 4F is an example use case of providing enhanced security for mobileaccess using a core firewall in a 4G/LTE network in accordance with someembodiments. Specifically, FIG. 4F shows a network placement of asecurity platform, shown as a Core Firewall 452, between a between a SGW454 and a PGW 456 in a 4G/LTE network.

Referring to FIG. 4F, a Create Session Request message (e.g., and/orother control/signaling messages) for a mobile subscriber (e.g., and/ortunneled user data communications using the GTP-U protocol) can bemonitored using Core Firewall 452 as shown. For example, varioussecurity policies can be enforced by Core Firewall 452 based onparameters/information extracted from such GTPv2-C messages and/or userdata communications in GTP-U traffic using the disclosed techniques(e.g., mobile subscribers generally can have a distinct security policyenforced based on a location, device identifier, subscriber identity,and/or RAT associated with the mobile subscribers, mobile subscribersalso generally can have a distinct security policy enforced based on alocation, device identifier, subscriber identity, and/or RAT associatedwith the mobile subscribers in combination with Application-ID (and/orother DPI determined information, such as Content-ID, User-ID, URL,etc.), and/or various other security policies can be enforced).

FIG. 4G is an example use case of providing enhanced security for mobileaccess using a core firewall in a 3G network in accordance with someembodiments. Specifically, FIG. 4G shows a network placement of asecurity platform, shown as a Core Firewall 462, between a between aSGSN 464 and a GGSN 466 in a 3G network.

Referring to FIG. 4G, a Create Session Request message (e.g., and/orother control/signaling messages) for a mobile subscriber (e.g., and/ortunneled user data communications using the GTP-U protocol) can bemonitored using Core Firewall 462 as shown. For example, varioussecurity policies can be enforced by Core Firewall 462 based onparameters/information extracted from such GTPv2-C messages and/or userdata communications in GTP-U traffic using the disclosed techniques(e.g., mobile subscribers generally can have a distinct security policyenforced based on a location, device identifier, subscriber identity,and/or RAT associated with the mobile subscribers, mobile subscribersalso generally can have a distinct security policy enforced based on alocation, device identifier, subscriber identity, and/or RAT associatedwith the mobile subscribers in combination with Application-ID (and/orother DPI determined information, such as Content-ID, User-ID, URL,etc.), and/or various other security policies can be enforced).

Additional Example Use Case Scenarios of Enhanced Security forMobile/Service Provider Networks Using a Security Platform for SecurityPolicy Enforcement

The disclosed techniques for providing enhanced security formobile/service provider networks using a security platform for securitypolicy enforcement can be applied in a variety of additional example usecase scenarios for facilitating enhanced and more flexible and dynamicsecurity within mobile/service provider network environments. Additionalexample use case scenarios will be further described below.

As a first example use case scenario, assume that a subscriber, Alice,signs up for enhanced security through her mobile network serviceprovider (e.g., AT&T®, T-Mobile®, Verizon®, or another serviceprovider), and the security platform dynamically applies a new securitypolicy based on Alice's subscriber identity (IMSI) and/or Alice's deviceidentifiers (e.g., IMEI associated with Alice's mobile phone or herother device(s)). In addition, such security policy enforcementimplemented for sessions associated with Alice and/or her devices on themobile network controlled/managed by her service provider can includesecurity policy enforcement based on other information/parameters, suchas location and/or RAT, based on threat detection/prevention, URLfiltering, Application-ID, Content-ID, and/or other DPI based securitypolicy inspection/enforcement as similarly described above.

As a second example use case scenario, assume that control of one ormore applications within an automobile (e.g., radio application,acceleration control, steering wheel control, brakes control) ishijacked by an unauthorized user/entity. In this scenario, the disclosedtechniques can be applied by enforcing a security policy per automobile(e.g., based on the IMEI associated with the compromised/infectedautomobile), per user (e.g., based on IMSI), per location, and/or perapplication (e.g., based on the Application-ID). Specifically, a serviceprovider can block the attack/control for specific applications per user(e.g., IMSI) and/or per the identifier of the automobile (e.g., IMEI)using a security platform that implements the disclosed techniques. Forexample, the security platform can detect that the automobile isinfected, such as based on detecting Command and Control (C&C) traffic(e.g., using DPI based firewall techniques, such as by monitoring DNSrequests from the automobile, and/or using other DPI based firewalltechniques). As another example, the security platform can detectmalware traffic directed towards the automobile (e.g., using DPI basedfirewall techniques, such as by performing URL filtering, identifying aContent-ID, and/or using other DPI based firewall techniques). Thefirewall can be configured to generate alerts, block/drop packets, orperform other actions including blocking a specific application (e.g.,based on Application-ID and IMEI for the automobile, including foracceleration, steering, and brake applications but can allow a radioapplication to have Internet access, which can be configured as ablocking/whitelisting of applications and/or modify access privilegeswhen suspicious/malware behavior is detected). As yet another example,if hacker hardware identity (IMEI) is determined to beattacking/targeting the automobile, then all GTP-C Create PDP/SessionMessages can be blocked/dropped to disallow any communications from suchan unauthorized entity (e.g., hacker/device being utilized by thehacker).

As a third example use case scenario, assume that a network accessiblethermostat (e.g., an IoT thermostat) is hijacked by an unauthorizeduser/entity. In this scenario, the disclosed techniques can be appliedby enforcing a security policy per thermostat (e.g., based on the IMEIassociated with the compromised/infected thermostat), per user (e.g.,based on IMSI), per location, and/or per application (e.g., based on theApplication-ID). Specifically, a service provider can block theattack/control for specific applications per user (e.g., IMSI) and/orper identifier of the thermostat (e.g., IMEI) using a security platformthat implements the disclosed techniques. For example, the securityplatform can detect that the thermostat is infected, such as based ondetecting Command and Control (C&C) traffic (e.g., using DPI basedfirewall techniques, such as by monitoring DNS requests from theautomobile, and/or using other DPI based firewall techniques). Asanother example, the security platform can detect malware trafficdirected towards the thermostat (e.g., using DPI based firewalltechniques, such as by performing URL filtering, identifying aContent-ID, and/or using other DPI based firewall techniques). Thefirewall can be configured to generate alerts, block/drop packets, orperform other actions including blocking a specific application (e.g.,based on Application-ID and IMEI for the thermostat, including forremote control of the temperature such as via Internet access, such thatusers can only manually change on the thermostat device dial itself butnot via the Internet, which can be configured as a blocking ofapplications and/or modify access privileges when suspicious/malwarebehavior is detected). As yet another example, if hacker hardwareidentity (IMEI) is determined to be attacking/targeting the thermostat,then all GTP-C Create PDP/Session Messages can be blocked/dropped todisallow any communications from such an unauthorized entity (e.g.,hacker/device being utilized by the hacker).

As a fourth example use case scenario, assume that a given location issubject to an emergency forest fire event, the security platform thatimplements the disclosed techniques can be configured to block all GTP-CCreate PD/Session Messages based on location information/parameter(s) inthat geographical area. For example, the blocking of such new GTPsessions in the geographical area of the emergency forest fire event canbe used to prevent unauthorized/non-emergency personnel from flyingdrones that may interfere with the fire-fighting effort in thegeographical area of the emergency forest fire event (e.g., as such mayinterfere with helicopter or airplane usage for fighting the fire orotherwise put emergency personnel/others at further risk).

In an example implementation, mobile network service providers and/orother service providers can use a table(s) (e.g., stored in a data planeof a security platform device, such as further described below) that caninclude a correlation of IMEI, IMSI, and IP address to implement suchsecurity policies in various use case scenarios. For example, for a homeor office that has a plurality of IoT devices that are associated with agiven IP address for the user's home or office network, the user canenter the respective IMSI for each of their IoT devices. In thisexample, a security policy can be implemented per IMSI (e.g., inaddition to per IP address, as such would impact each of the user's homeor office IoT devices as they are each associated with that user's samehome IP address using NAT). As such, mobile network or other serviceproviders can use the table to perform security policy using theabove-described techniques.

As a fifth example use case scenario, assume that a network serviceprovider (e.g., Small Cell Company, which is a tier-2 or tier-3 mobileoperator company) leases network access from another network serviceprovider (e.g., Large Cell Company, such as AT&T or Verizon, which is atier-1 mobile operator company), then the Large Cell Company can utilizea security platform that performs the disclosed techniques to allow RATsand/or block RATs based on a security policy that corresponds to thelease agreement between Large Cell Company and Small Cell Company (e.g.,Large Cell Company may have only leased 3G networks, but not 4Gnetworks, to Small Cell Company). As another example, Large Cell Companymay have only leased RAT access for IoT to Small Cell Company (e.g., asecurity policy can be specified for IoT access, in which applicationsand protocols that can be used on IoT (whitelisted) are specified in thesecurity policy such that other protocols/applications can beblocked/filtered as not allowed (blacklisted)).

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), a device manufacturer (e.g., an automobile entity, IoT deviceentity, and/or other device manufacturer), and/or system integrators canspecify such security policies that can be enforced by a securityplatform using the disclosed techniques to solve these and othertechnical network security challenges.

Example Hardware Components of a Network Device for Performing SecurityPolicy Enforcement on Mobile/Service Provider Network Environments

FIG. 5 is a functional diagram of hardware components of a networkdevice for performing security policy enforcement on mobile/serviceprovider network environments in accordance with some embodiments. Theexample shown is a representation of physical/hardware components thatcan be included in network device 500 (e.g., an appliance, gateway, orserver that can implement the security platform disclosed herein).Specifically, network device 500 includes a high performance multi-coreCPU 502 and RAM 504. Network device 500 also includes a storage 510(e.g., one or more hard disks or solid state storage units), which canbe used to store policy and other configuration information as well assignatures. In one embodiment, storage 510 stores location information,hardware identifier information, subscriber identity information, and/orRAT information and associated IP addresses and possibly otherinformation (e.g., Application-ID, Content-ID, User-ID, URL, and/orother information) that are monitored for implementing the disclosedsecurity policy enforcement techniques using a securityplatform/firewall device. Network device 500 can also include one ormore optional hardware accelerators. For example, network device 500 caninclude a cryptographic engine 506 configured to perform encryption anddecryption operations, and one or more FPGAs 508 configured to performsignature matching, act as network processors, and/or perform othertasks.

Example Logical Components of a Network Device for Performing SecurityPolicy Enforcement on Mobile/Service Provider Network Environments

FIG. 6 is a functional diagram of logical components of a network devicefor performing security policy enforcement on mobile/service providernetwork environments in accordance with some embodiments. The exampleshown is a representation of logical components that can be included innetwork device 600 (e.g., a data appliance, which can implement thedisclosed security platform and perform the disclosed techniques). Asshown, network device 600 includes a management plane 602 and a dataplane 604. In one embodiment, the management plane is responsible formanaging user interactions, such as by providing a user interface forconfiguring policies and viewing log data. The data plane is responsiblefor managing data, such as by performing packet processing and sessionhandling.

Suppose a mobile device attempts to access a resource (e.g., a remoteweb site/server, an IoT device, or another resource) using an encryptedsession protocol, such as SSL. Network processor 606 is configured tomonitor packets from the mobile device, and provide the packets to dataplane 604 for processing. Flow 608 identifies the packets as being partof a new session and creates a new session flow. Subsequent packets willbe identified as belonging to the session based on a flow lookup. Ifapplicable, SSL decryption is applied by SSL decryption engine 610 usingvarious techniques as described herein. Otherwise, processing by SSLdecryption engine 610 is omitted. Application identification (APP ID)module 612 is configured to determine what type of traffic the sessioninvolves and to identify a user associated with the traffic flow (e.g.,to identify an Application-ID as described herein). For example, APP ID612 can recognize a GET request in the received data and conclude thatthe session requires an HTTP decoder. As another example, APP ID 612 canrecognize a Create Session Request or a Create PDP Request in thereceived data and conclude that the session requires a GTP decoder. Foreach type of protocol, there exists a corresponding decoder 614. In oneembodiment, the application identification is performed by anapplication identification module (e.g., APP-ID component/engine), and auser identification is performed by another component/engine. Based onthe determination made by APP ID 612, the packets are sent to anappropriate decoder 614. Decoder 614 is configured to assemble packets(e.g., which may be received out of order) into the correct order,perform tokenization, and extract out information. Decoder 614 alsoperforms signature matching to determine what should happen to thepacket. SSL encryption engine 616 performs SSL encryption using varioustechniques as described herein and the packets are then forwarded usinga forward component 618 as shown. As also shown, policies 620 arereceived and stored in the management plane 602. In one embodiment,policy enforcement (e.g., policies can include one or more rules, whichcan be specified using domain and/or host/server names, and rules canapply one or more signatures or other matching criteria or heuristics,such as for security policy enforcement for subscriber/IP flows onservice provider networks based on various extractedparameters/information from monitored GTP-C messages and/or DPI ofmonitored GTP-U traffic as disclosed herein) is applied as describedherein with respect to various embodiments based on the monitored,decrypted, identified, and decoded session traffic flows.

As also shown in FIG. 6, an interface (I/F) communicator 622 is alsoprovided for security platform manager communications (e.g., via (REST)APIs, messages, or network protocol communications or othercommunication mechanisms). In some cases, network communications ofother network elements on the service provider network are monitoredusing network device 600, and data plane 604 supports decoding of suchcommunications (e.g., network device 600, including I/F communicator 622and decoder 614, can be configured to monitor and/or communicate on, forexample, Gn, Gp, SGi, Gi, S1, S5, S8, S11, and/or other interfaces wherewired and wireless network traffic flow exists as similarly describedherein). As such, network device 600 including I/F communicator 622 canbe used to implement the disclosed techniques for security policyenforcement on mobile/service provider network environments as describedabove and as will be further described below.

Additional example processes for the disclosed techniques for performingsecurity policy enforcement on mobile/service provider networkenvironments will now be described.

Example Processes for Location Based Security in Mobile Networks forService Providers

FIG. 7 is a flow diagram of a process for performing location basedsecurity in mobile networks for service providers in accordance withsome embodiments. In some embodiments, a process 700 as shown in FIG. 7is performed by the security platform and techniques as similarlydescribed above including the embodiments described above with respectto FIGS. 1A-6. In one embodiment, process 700 is performed by dataappliance 500 as described above with respect to FIG. 5, network device600 as described above with respect to FIG. 6, a virtual appliance, anSDN security solution, a cloud security service, and/or combinations orhybrid implementations of the aforementioned as described herein.

The process begins at 702. At 702, monitoring network traffic on aservice provider network at the security platform to identify a locationfor a new session is performed. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canextract location information/parameters from GTP-C traffic on the mobilecore network as similarly described above.

At 704, associating the location with the new session at the securityplatform is performed. For example, the security platform can identifynew IP sessions (e.g., data calls or other sessions) and associate thelocation and assigned IP address with the new flow (e.g., cached/storedin a table in a data plane of the security platform) as similarlydescribed above.

At 706, determining a security policy to apply at the security platformto the new session based on the location is performed. For example, thesecurity policy can be determined and/or enforced based on variouscombinations of location, hardware identifier, subscriber identity, andRAT information and/or based on information detected/determined usingDPI based firewall techniques, such as by performing URL filtering,identifying an Application-ID, identifying a Content-ID, and/or usingother DPI based firewall techniques as similarly described above.

At 708, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

Example Processes for Mobile Equipment Identity and/or IoT EquipmentIdentity and Application Identity based Security Enforcement in MobileNetworks for Service Providers

FIG. 8 is a flow diagram of a process for performing mobile equipmentidentity and/or IoT equipment identity and application identity basedsecurity enforcement for service providers in mobile networks inaccordance with some embodiments. In some embodiments, a process 800 asshown in FIG. 8 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-6. In one embodiment, process 800 is performed bydata appliance 500 as described above with respect to FIG. 5, networkdevice 600 as described above with respect to FIG. 6, a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 802. At 802, monitoring network traffic on aservice provider network at the security platform to identify a mobileequipment identity and/or IoT equipment identity for a new session isperformed. For example, the security platform (e.g., a firewall, anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies) can extractmobile equipment identity and/or IoT equipment identityinformation/parameters (e.g., IMEI) from GTP-C traffic on the mobilecore network as similarly described above.

At 804, determining an application identity (e.g., applicationidentifier) for user traffic associated with the new session at thesecurity platform is performed. For example, an application identifier(e.g., Application-ID) can be identified by monitoring GTP-U trafficusing DPI based firewall techniques as similarly described above.

At 806, determining a security policy to apply at the security platformto the new session based on the mobile equipment identity and/or IoTequipment identity and application identity is performed. For example,the security policy can be determined and/or enforced based on variouscombinations of location, hardware identifier, subscriber identity, andRAT information and/or based on information detected/determined usingDPI based firewall techniques, such as by performing URL filtering,identifying an Application-ID, identifying a Content-ID, and/or usingother DPI based firewall techniques as similarly described above.

At 808, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

Example Processes for Mobile User Identity and/or SIM-Based IoT Identityand Application Identity Based Security Enforcement in Mobile Networksfor Service Providers

FIG. 9 is a flow diagram of a process for performing mobile useridentity and/or SIM-based IoT identity and application identity basedsecurity enforcement for service providers in mobile networks inaccordance with some embodiments. In some embodiments, a process 900 asshown in FIG. 9 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-6. In one embodiment, process 900 is performed bydata appliance 500 as described above with respect to FIG. 5, networkdevice 600 as described above with respect to FIG. 6, a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 902. At 902, monitoring network traffic on aservice provider network at the security platform to identify asubscriber identity and/or SIM-based IoT identity for a new session isperformed. For example, the security platform (e.g., a firewall, anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies) can extractmobile user identity and/or SIM-based IoT identityinformation/parameters (e.g., IMSI) from GTP-C traffic on the mobilecore network as similarly described above.

At 904, determining an application identity (e.g., applicationidentifier) for user traffic associated with the new session at thesecurity platform is performed. For example, an application identifier(e.g., Application-ID) can be identified by monitoring GTP-U trafficusing DPI based firewall techniques as similarly described above.

At 906, determining a security policy to apply at the security platformto the new session based on the subscriber identity and the applicationidentifier is performed. For example, the security policy can bedetermined and/or enforced based on various combinations of location,hardware identifier, subscriber identity, and RAT information and/orbased on information detected/determined using DPI based firewalltechniques, such as by performing URL filtering, identifying anApplication-ID, identifying a Content-ID, and/or using other DPI basedfirewall techniques as similarly described above.

At 908, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

Example Processes for Radio Access Technology Based Security Enforcementin Mobile Networks for Service Providers

FIG. 10 is a flow diagram of a process for performing Radio AccessTechnology (RAT) based security in mobile networks for service providersin accordance with some embodiments. In some embodiments, a process 1000as shown in FIG. 10 is performed by the security platform and techniquesas similarly described above including the embodiments described abovewith respect to FIGS. 1A-6. In one embodiment, process 1000 is performedby data appliance 500 as described above with respect to FIG. 5, networkdevice 600 as described above with respect to FIG. 6, a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 1002. At 1002, monitoring network traffic on aservice provider network at the security platform to identify a RAT fora new session is performed. For example, the security platform (e.g., afirewall, a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies) can extract RATinformation/parameters from GTP-C traffic on the mobile core network assimilarly described above.

At 1004, associating the RAT with the new session at the securityplatform is performed. For example, the security platform can identifynew sessions (e.g., data calls or other sessions) and associate the RATand assigned IP address with the new flow (e.g., cached/stored in atable in a data plane of the security platform) as similarly describedabove.

At 1006, determining a security policy to apply at the security platformto the new session based on the RAT is performed. For example, thesecurity policy can be determined and/or enforced based on variouscombinations of location, hardware identifier, subscriber identity, andRAT information and/or based on information detected/determined usingDPI based firewall techniques, such as by performing URL filtering,identifying an Application-ID, identifying a Content-ID, and/or usingother DPI based firewall techniques as similarly described above.

At 1008, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a processor configured to:monitor network traffic on a service provider network at a securityplatform to identify a device identifier for a new session; determine anapplication identifier for user traffic associated with the new sessionat the security platform; and determine a security policy to apply atthe security platform to the new session based on the device identifierand the application identifier; and a memory coupled to the processorand configured to provide the processor with instructions.
 2. The systemrecited in claim 1, wherein the security platform is configured with aplurality of security policies based on the device identifier and theapplication identifier.
 3. The system recited in claim 1, wherein thesecurity platform is configured to perform security policy enforcementbased on the device identifier and the application identifier.
 4. Thesystem recited in claim 1, wherein the security platform is configuredto perform threat detection based on the device identifier and theapplication identifier.
 5. The system recited in claim 1, wherein thesecurity platform is configured to perform threat prevention based onthe device identifier and the application identifier.
 6. The systemrecited in claim 1, wherein the security platform is configured toperform Uniform Resource Link (URL) filtering based on the deviceidentifier and the application identifier.
 7. The system recited inclaim 1, wherein the security platform is configured with a plurality ofsecurity policies based on the device identifier and the applicationidentifier, and wherein the device identifier includes an InternationalMobile Equipment Identifier (IMEI).
 8. The system recited in claim 1,wherein the security platform monitors wireless interfaces including aplurality of interfaces for a control protocol and user data traffic ina mobile core network for a 3G and/or 4G network.
 9. The system recitedin claim 1, wherein the security platform monitors wireless interfacesincluding a plurality of interfaces for a GPRS Tunneling Protocol (GTP)in a mobile core network for a 3G and/or 4G network.
 10. The systemrecited in claim 1, wherein the processor is further configured to:block the new session from accessing a resource based on the securitypolicy.
 11. A method, comprising: monitoring network traffic on aservice provider network at a security platform to identify a deviceidentifier for a new session; determining an application identifier foruser traffic associated with the new session at io the securityplatform; and determining a security policy to apply at the securityplatform to the new session based on the device identifier and theapplication identifier.
 12. The method of claim 11, wherein the securityplatform is configured with a plurality of security policies based onthe device identifier and the application identifier.
 13. The method ofclaim 11, wherein the security platform is configured to performsecurity policy enforcement based on the device identifier and theapplication identifier.
 14. The method of claim 11, wherein the securityplatform is configured to perform threat detection and/or threatprevention based on the device identifier and the applicationidentifier.
 15. The method of claim 11, wherein the security platform isconfigured to perform Uniform Resource Link (URL) filtering based on thedevice identifier and the application identifier.
 16. A computer programproduct, the computer program product being embodied in a tangiblecomputer readable storage medium and comprising computer instructionsfor: monitoring network traffic on a service provider network at asecurity platform to identify a device identifier for a new session;determining an application identifier for user traffic associated withthe new session at the security platform; and determining a securitypolicy to apply at the security platform to the new session based on thedevice identifier and the application identifier.
 17. The computerprogram product recited in claim 16, wherein the security platform isconfigured with a plurality of security policies based on the deviceidentifier and the application identifier.
 18. The computer programproduct recited in claim 16, wherein the security platform is configuredto perform security policy enforcement based on the device identifierand the application identifier.
 19. The computer program product recitedin claim 16, wherein the security platform is configured to performthreat detection and/or threat prevention based on the device identifierand the application identifier.
 20. The computer program product recitedin claim 16, wherein the security platform is configured to performUniform Resource Link (URL) filtering based on the device identifier andthe application identifier.